John Franks wrote:
> [...]
> transaction-info =
> H(
> Method ":"
> digest-uri-value ":"
> media-type ":" ; Content-Type, see section 3.7 of [2]
> content-coding ":" ; Content-Encoding, see 3.5 of [2]
> dheader-content
> )
>
> dheader-content = *DIGIT ":" ; HTTP response status code
> *DIGIT ":" ; entity-length, see ??
> date ":" ; contents of origin HTTP date header
> last-modified ":" ; last modified date
> expires ; expiration date
It's time for me to be stupid again.
The dheader-content gets digested in transaction-info, and it gets sent
in the clear as part of Authentication-Info. Is there any expectation
(or requirement) that a receiver will validate the individual pieces of
dheader-content? If not, then the sender could put arbitrary garbage in
dheader-content, and as long as the same garbage appeared in both
places, the bits will come out right, but nothing useful will have been
accomplished.
Dave Kristol